# startup_command: the command to run when Xsupplicant is first started.
# This command can do things such as configure the card to associate with
# the network properly.
startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>

The startup.sh will be created shortly.

When the client is authenticated, it will transmit a DHCP request or
manually set an IP address. Here, the Supplicant sets its IP address
manually in startup2.sh:

# first_auth_command: the command to run when Xsupplicant authenticates to
# a wireless network for the first time. This will usually be used to
# start a DHCP client process.
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>

Since "-i" is just for debugging purpose (and may
go away according to the developers),
"allow_interfaces" must be set:

allow_interfaces = eth0
deny_interfaces = eth1

Next, under the "NETWORK SECTION", we'll configure
PEAP:

# We'll be using PEAP
allow_types = eap_peap
# Don't want any eavesdropper to learn the username during the
# first phase (which is unencrypted), so 'identity hiding' is
# used (using a bogus username).
identity = <BEGIN_ID>anonymous<END_ID>
eap-peap {
# As in tls, define either a root certificate or a directory
# containing root certificates.
root_cert = /usr/local/etc/1x/certs/root.pem
#root_dir = /path/to/root/certificate/dir
#crl_dir = /path/to/dir/with/crl
chunk_size = 1398
random_file = /dev/urandom
#cncheck = myradius.radius.com # Verify that the server certificate
# has this value in its CN field.
#cnexact = yes # Should it be an exact match?
session_resume = yes
# Currently 'all' is just mschapv2.
# If no allow_types is defined, all is assumed.
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
allow_types = eap_mschapv2
# Right now, you can do any of these methods in PEAP:
eap-mschapv2 {
username = <BEGIN_UNAME>testuser<END_UNAME>
password = <BEGIN_PASS>Secret149<END_PASS>
}
}

The Supplicant must first associate with the access point. The
script startup.sh does that job. It is also
the first command Xsupplicant executes.

Notice the bogus key we give to iwconfig (enc
000000000)! This key is used to tell the driver
to run in encrypted mode. The key gets replaced after successful
authentication. This can be set to enc
off only if encryption is disabled in the AP (for
testing purposes).

Both startup.sh and
startup2.sh must be saved under
/usr/local/etc/1x/.